Component Assembly Compositions

Introduction

Component assembly compositions in CycloneDX focus on the completeness of an individual component and its constituent parts. This level of detail allows for a clear understanding of whether a specific component includes all its embedded components, such as configuration files, assets, and other embedded modules.

By describing the composition of individual components, organizations gain greater transparency into the accuracy of their BOMs at a granular level. This helps identify potential gaps in assemblies and ensures that nested relationships are fully documented, providing the context needed for effective risk assessment and compliance tracking. Component assembly compositions ensure that the focus extends beyond high-level inventories to the structural details of each component.

Highlighted fields

PropertyUsage Description
aggregateDescribes the overall completeness of the inventory for the component, such as complete or incomplete.
assembliesLists the components or services that are structurally part of this component.
This example demonstrates how CycloneDX compositions can represent the completeness of component assemblies within a BOM. The "Acme Application" includes two libraries as dependencies: the "Partner Shaded Library" and the "Acme Library." The "Partner Shaded Library" further embeds an open-source library, "Some Opensource Library," creating a nested assembly structure.

The composition indicates that the assembly for the "Partner Shaded Library" is marked as "complete," meaning all known embedded components are accounted for. However, the assembly for the "Acme Library" is marked as "unknown," reflecting uncertainty about its completeness. This differentiation highlights the ability of compositions to provide transparency into the structural integrity and completeness of individual component assemblies, supporting better decision-making and risk assessment.

Examples

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "acme-application-1.0",
      "type": "application",
      "name": "Acme Application",
      "version": "1.0"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:maven/partner/[email protected]",
      "type": "library",
      "name": "Partner Shaded Library",
      "version": "1.0",
      "purl": "pkg:maven/partner/[email protected]",
      "components": [
        {
          "bom-ref": "pkg:maven/ossproject/[email protected]",
          "type": "library",
          "name": "Some Opensource Library",
          "version": "2.0",
          "purl": "pkg:maven/ossproject/[email protected]"
        }
      ]
    },
    {
      "type": "library",
      "name": "Acme Library",
      "version": "3.0",
      "purl": "pkg:maven/acme/[email protected]"
    }
  ],
  "dependencies": [
    {
      "ref": "acme-application-1.0",
      "dependsOn": [
        "pkg:maven/partner/[email protected]",
        "pkg:maven/acme/[email protected]"
      ]
    }
  ],
  "compositions": [
    {
      "aggregate": "complete",
      "assemblies": [
        "pkg:maven/partner/[email protected]"
      ],
      "dependencies": [
        "acme-application-1.0"
      ]
    },
    {
      "aggregate": "unknown",
      "assemblies": [
        "pkg:maven/acme/[email protected]"
      ]
    }
  ]
}

Authoritative Guide